Managing security groups

Security group is one of the greatest feature of OpenStack. A common new-user issue with OpenStack is failing to set an appropriate security group when launching an instance. As a result, the user is unable to contact the instance on the network. Security groups are sets of IP filter rules that are applied to an instance’s networking. They are project specific, and project members can edit the default rules for their group and add new rule sets. All projects have a “default” security group, which is applied to instances that have no other security group defined. Unless changed, this security group denies all incoming traffic.

Security groups are also known as firewalls for your instances, and they’re mandatory in our cloud environment. The firewall actually exists on our OpenStack Compute host that is running the instance and not as iptable rules within the running instance. They allow us to protect our hosts by restricting or allowing access to specified service ports and also protect our instances from other users’ instances running on the same hosts. Security groups are the only way to separate a tenant’s instances from another user’s instance in another tenant when running under the Flat network modes and where VLAN or tunnel separation isn’t available.

Virtual firewalls are provided by the advanced neutron service known as firewall as a service- FWaas.

All projects have a default security group which is applied to any instance that has no other defined security group. Unless you change the default, this security group denies all incoming traffic and allows only outgoing traffic to your instance. The number of maximum rules per security group are controlled by security_group_rules.

Getting started

The nova command line interface provides facilities for adding rules to security groups. To begin with, assure that you’re logged into a client that has access to the Nova Client tools. These packages can be installed using the following commands:

sudo apt-get update

sudo apt-get –y install python-novaclient

And assure that you have set the following credentials :

export OS_TENANT_NAME=cookbook

export OS_USERNAME=admin

export OS_PASSWORD=openstack

export OS_AUTH_URL=http://172.16.0.200:5000/v2.0/

export OS_NO_CACHE=1

How to achieve it…

The following sections describe how to create and modify security groups in our OpenStack environment.

Creating security groups:

Recall that we have already created, a default security group that opened TCP port 22 from anywhere and allowed us to ping our instances. To open another port, we simply run our command again, assigning that port to a particular group.

For example, to open TCP port 80 and port 443 on our instances using Nova Client, grouping that under a security group called webserver we can do the following:

The reason why we specified a new group, rather than assigning these to the default group, is that we might not want to open up our web server to everyone, which would happen every time we spin up a new instance. Putting it into its own security group allows us to open up access to our instance to port 80 by simply specifying this security group when we launch an instance.

For example, we specify the –security_groups option w boot an instance:

nova boot myInstance \

–image 0e2f43a8-e614-48ff-92bd-be0c68da19f4 –flavor 2 \

–key_name demo \

–security_groups default,webserver

Removing a rule from a security group

To remove a rule from a security group, we run the nova secgroup -delete command. For example, suppose we want to remove the HTTPS rule from our webserver group, we do this using Nova Client, by running the following command:

nova secgroup-delete-rule webserver tcp 443 443 0.0.0.0/0

Deleting a security group

To delete a security group, for example webserver, we run the following command:

nova secgroup-delete webserver

How it works…

Creation of a security group is done in two steps as follows:

The first is that we add a group using the nova secgroup-create

Following the creation of a security group, we can define rules in that group using the nova secgroup-add-rule. With this command, we can specify destination ports that we can open up on our instances and the networks that are allowed access.

Defining groups and rules using Nova Client

The nova secgroup-create command has the following syntax:

nova secgroup-create group_name “description”

The nova secgroup-add-rule command has the following basic syntax:

nova secgroup-add-rule group_name protocol port_from port_to source

Removing rules from a security group is done using the nova secgroup-delete-rule command and is analogous to the nova secgroup-add-rule command. Removing a security group altogether is done using the nova secgroup-delete command is analogous to the nova secgroup-create command.